Replace MimeMagic #41751
Replace MimeMagic #41751
Conversation
|
I don't think this is going to be sufficient - the mime-types gem appears to only support lookups based on file extension. |
Which is the only functionality used from searching the code. |
|
See #41750 (comment) for at least one person using that feature. |
The |
I saw, the issues tracked rails/marcel#23 |
|
So managed to throw out the requirement on |
the the "magic byte" database is basically what It's not actually safe to type files just based on extension, which may be maliciously changed. There were a whole class of security vulnerabilities involving this a couple years ago, some involving imagemagick. it actually is pretty important to use "magic byte". But it's unclear if there is an open source non-GPL source of "magic bytes". This is a pretty big disruptive problem actually. |
|
Yes I looked into it, hence why I've updated the main description of this pull request. |
|
The documetnation for this part of the shrine gem usefully gives us a list of some alternatives. https://shrinerb.com/docs/plugins/determine_mime_type There aren't any great ones. One interesting one is: https://github.com/blackwinter/ruby-filemagic It also has a "magic byte" database. But it's marked as "no longer maintained", and it has no license information at all, and I'm not sure where it's original magic byte database came from, it's possible it is also unlabelled GPL. Oops, it also has some native C parts, it's not pure ruby, so that doesn't work great either. Really, the main problem is figuring out if there's a non-viral-open-source source of "magic byte" information at all. |
|
Agreed, and I would love to get some involvement from the Rails core team or Basecamp to find a suitable way to proceed with this. I'm more than happy to make the required pull requests for the involved gems where needed, but I'd like someone to steer this. |
BSD's file(1) uses a BSD-licensed database, I believe |
|
Hi. Maintainer mime-types and mime-types-data chiming in:
I don’t really have the time or expertise to do this, but I can highly recommend building this into mime-types-data as available data and building something on top of this. The real jewel of mime-types is mime-types-data, which can and should be used across the Ruby ecosystem (I’m going to be doing a little work to also make it possible to use this data in the Elixir ecosystem). |
I like this idea and approach actually. |
|
Thank you for the pull request. We are working in a solution as we speak. We are taking a different direction. See #41750 (comment). |
|
Thanks for getting in touch. |
|
Still, thanks a lot for trying to find a fix @coding-bunny, I hope the whole world appreciates it 😄 |
|
I updated mimemagic then issue gone, may be this is temporary fix but i don't want stuck ;) . 'bundle update mimemagic' |
Read the discussion and Pull request please. Upgrading to a GPL license is not possible for everyone |
Thanks for the update @rafaelfranca - will this solution be backwards compatible to older Rails versions also? |
Yes. |
Description
Rails depends on this gem for it's mime-type logic when handling files.
This gem however was never MIT compliant and is supposed to be released under the GPL.
Combined with versions being yanked and released as GPL, this is not a viable path for Rails, or downstream services to follow.
For the discussion see: #41750
This pull request removes the dependency from Rails directly, and uses another MIT licenses gem to replace the logic where appropriate. The only issue remaining is the
marcelgem, another dependency that also requires this gem.I've linked the issue inside the ongoing discussion for that gem here
So this PR is only viable when
marceleither finds a MIT viable solution for their own gem, or follows the same approach and ditches the offending gem somehow and releases a new version.